The Scheme procedure used for authentication must be declared as follows:
The function return value determines whether the authentication will
succeed. The function must return either a boolean value or a pair.
The return of #t causes authentication to succeed. The return
of #f causes it to fail.
If the function wishes to add something to the reply A/V pairs, it should return a pair in the form:
(cons return-code list)
Where return-code is a boolean value of the same meaning as described above. The list is a list of A/V pairs to be added to the reply list. For example, the following function will always deny the authentication, returning appropriate message to the user:
(define (decline-auth request-list check-list reply-list)
(cons #f
(list
(cons "Reply-Message"
"\r\nSorry, you are not allowed to log in\r\n"))))
As a more constructive example, let's consider a function that allows the authentication only if a user name is found in its internal database.
(define staff-data
(list
(list "scheme"
(cons
(list (cons "NAS-IP-Address" "127.0.0.1"))
(list (cons "Framed-MTU" "8096")))
(cons
'()
(list (cons "Framed-MTU" "256"))))))
(define (auth req check reply)
(let* ((username (assoc "User-Name" req))
(reqlist (assoc username req))
(reply-list '()))
(if username
(let ((user-data (assoc (cdr username) staff-data)))
(rad-log L_INFO (format #f "~A" user-data))
(if user-data
(call-with-current-continuation
(lambda (xx)
(for-each
(lambda (pair)
(cond
((avl-match? req (car pair))
(set! reply-list (avl-merge
reply-list
(cdr pair)))
(xx #t))))
(cdr user-data))
#f)))))
(cons
#t
reply-list)))
To trigger the invocation of the Scheme authentication function, assign
its name to Scheme-Procedure attribute in RHS of a
corresponding `raddb/users' profile. E.g.:
DEFAULT Auth-Type = SQL
Scheme-Procedure = "auth"
Go to the first, previous, next, last section, table of contents.